[24882] in bugtraq
Anonymizer, MSIE, images ...
daemon@ATHENA.MIT.EDU (Alexander K. Yezhov)
Fri Mar 29 16:24:17 2002
Date: Fri, 29 Mar 2002 03:43:14 +0300
From: "Alexander K. Yezhov" <admin@leader.ru>
Reply-To: "Alexander K. Yezhov" <admin@leader.ru>
Message-ID: <976406250.20020329034314@leader.ru>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello bugtraq,
Title: Bypassing JavaScript filters
Service: Anonymizer, similar services
Description:
Anonymizer offers free and commercial services that allow to browse
web safely. Since JavaScript can be dangerous, all script blocks and
events are cut from html.
Problem N1:
The problem is that not all events are under control. Some MSIE
events can bypass filters and let remote server to get real IP of
the client without notice (if the window is framed - "anon" prefix
will stay in the URL).
Example:
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
Test N1 uses onbeforeunload event that initiated with meta refresh
tag. You can also embed JavaScript into MARQUEE onbounce event (if
the behavior set to ALTERNATE).
Problem N2:
If image source points to "mailto:" and the page is loaded with
Anonymizer, the "src" will be prefixed and Error event will occur.
That also lets remote server to get real IP of the client without
notice. To avoid loading e-mail client when the page is browsed
without Anonymizer, a lot of tricks can be used.
Example:
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
Test N2 uses <img src="mailto:a" height=1 width=1 onError=""> code
to redirect the visitor.
Tested on:
Free service, Commercial service.
Problem status:
Anonymizer has been contacted and patched already - MSIE events
aren't working any more. I believe img problem will be fixed by the
time this message is published.
Best regards, Alexander
-----------------------------------------------------------------------
MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------
